MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Blackmoon


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa
SHA3-384 hash: af87c3e5e43880760a5413b2f138abc76426c6cb88d3a2c4a27e2e29f992fb97047a1e0e21fadcfadfcee44325b79c72
SHA1 hash: e8d7216c0becb4a62ce258ffab3aa8933de61d0b
MD5 hash: 9f6e20242b0c7a027f6131c625330e28
humanhash: paris-queen-equal-pluto
File name:2025-05-07_9f6e20242b0c7a027f6131c625330e28_amadey_black-basta_elex_hijackloader_icedid_rhadamanthys_smoke-loader_xiaobaminer
Download: download sample
Signature Blackmoon
Create hunting rule
File size:5'324'354 bytes
First seen:2025-05-08 00:41:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 53d02dee8a3558f2a2295b34eb0d6374 (59 x Blackmoon, 2 x CoinMiner)
ssdeep 49152:GbYsnzcErdwaZ2hTBUhMvp/KCGZd0qgNEf16lhulJLirHJIZ/K0tDAy49uO7G6XM:T9atWQtZ/K0tGOFWVRuLftCT
Threatray 52 similar samples on MalwareBazaar
TLSH T124365B13F6E940A9E0AAD274DF3586219B72BC5A4BF1A5DF324432D41F72AD07B38721
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10522/11/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
dhash icon f8ba6c0e0ec982c0 (62 x Blackmoon, 2 x CoinMiner)
Reporter neiki_dev
Tags:Blackmoon exe ZhuDongFangYu

Intelligence

File Origin
# of uploads :
1
# of downloads :
486
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2025-05-07_9f6e20242b0c7a027f6131c625330e28_amadey_black-basta_elex_hijackloader_icedid_rhadamanthys_smoke-loader_xiaobaminer
Verdict:
Malicious activity
Analysis date:
2025-05-07 08:25:41 UTC
Tags:
blackmoon stealer auto-reg
Link:
https://app.any.run/tasks/96826106-5763-436a-b6dd-ec6d3c27ac6b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine-2.UNOFFICIAL
Create hunting rule

Win.Trojan.Qhost-160
Create hunting rule

Win.Dropper.Tiggre-9845940-0
Create hunting rule

Win.Trojan.Generic-10020386-0
Create hunting rule

Win.Malware.Score-6940809-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b190491991ead82b5b457
Tags:
blackmoon autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a file
Modifying an executable file
Modifying a system executable file
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings
Creating a file in the mass storage device
Enabling a "Do not show hidden files" option
Enabling threat expansion on mass storage devices
Changing the hosts file
Infecting executable files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm evasive expand explorer fingerprint iceid keylogger lolbin microsoft_visual_cc overlay overlay packed packer_detected rundll32
Link:
https://www.filescan.io/uploads/681bfda9c7418694c8a715d4/reports/e2853d0b-992f-4526-8b7e-73b54b18990e/overview
Verdict:
Malicious
Labled as:
Dropper.Generic.AutorunINF.Recex.1
Link:
https://www.hybrid-analysis.com/sample/26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa
Malware family:
XiaoBa
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0eaf1237-84fc-4e84-8efd-6a414809f858
Result
Threat name:
Coinhive
Create hunting rule
Detection:
malicious
Classification:
spre.adwa.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1683894
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates files in the recycle bin to hide itself
Disables the Windows registry editor (regedit)
Disables UAC (registry)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Mutes Antivirus updates and installments via hosts file black listing
Yara detected Coinhive miner
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa/
Threat name:
Win32.Coinminer.XiaoBaMiner
Create hunting rule
Status:
Malicious
First seen:
2025-05-03 01:51:33 UTC
File Type:
PE (Exe)
Extracted files:
291
AV detection:
24 of 24 (100.00%)
Threat level:
  4/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3uk3cldtqzixovvvoizcnon5js4j2k35ncrh3reryix7kms4sva._file
Verdict:
malicious
Label(s):
krbanker
Create hunting rule
Similar samples:
0b17a76dbbb420c311a91601f900c63f2686a4f8db662f3a072dd2579a703c9d
Blackmoon
187f22812211a8ef344c518951570d40882a21df15bbff15e6f40d857a904c1e
Blackmoon
18be2254e9daa29e81df2a47bab436bb00f643daa29dfae562c32259d17f2a7a
Blackmoon
c4417be466f8137886332cce34ead707da7fe8f8d6b58333f4945f16f705b90b
Blackmoon
error
Blackmoon
+ 42 additional samples on MalwareBazaar
Result
Malware family:
blackmoon
Create hunting rule
Score:
  10/10
Tags:
family:blackmoon banker defense_evasion discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/250508-a1vznsgl2y/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Drops file in System32 directory
Adds Run key to start application
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Adds policy Run key to start application
Disables RegEdit via registry modification
Drops file in Drivers directory
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
UAC bypass
Verdict:
Malicious
Tags:
cryptojacking trojan blackmoon Win.Trojan.Qhost-160
YARA:
crypto_jacking_signatures MALWARE_Win_BlackMoon
Link:
https://app.threat.zone/submission/6a25745f-de91-4ab0-9d49-0fe478ba6341
Unpacked files
SH256 hash:
26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa
MD5 hash:
9f6e20242b0c7a027f6131c625330e28
SHA1 hash:
e8d7216c0becb4a62ce258ffab3aa8933de61d0b
Detections:
BlackmoonBanker
Create hunting rule
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
0350407fd5c8df439eaa1450f66428933ada5f4aae01743f219d43fddc668a8b
MD5 hash:
f3ea2f1d80738777c226c7d0c4212662
SHA1 hash:
6b4612d6849306588b6076ba24c663422a4e8cb3
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
f8dcaefc1fe26e82deef034d4e6aa6c30c31df7de4a6da7995101d1c489d3a7d
MD5 hash:
95ac0b6758fef5ca86b4cc8bf3586c1c
SHA1 hash:
dd7ef78cf32ecdd4b75f1ea64afd354e3a560859
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
47c67c1c88ceaee3cf1667bf956a3e11a84dea2f7c2afc634777aa5f1bf65c76
MD5 hash:
6ff84be315cfafbbdf36aa01af8389e7
SHA1 hash:
2c550a4059ac331f5f5c9d3f218e0f6184aa27c9
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
458e46e92b872430f68363a4061403a88f41fda8807f69418b54e83db199643b
MD5 hash:
bada7311d82cfa73a7db1d1eec9214e1
SHA1 hash:
bccb3c01daf175281d14a6def751a0caf99f6837
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
5917d321051b1d8ba2ba1e89b42d7d2623b59803b7d8a424695b70edd4e87dcc
MD5 hash:
e283a1c7f4b53f5b9a79d4d8d06e7eac
SHA1 hash:
ed48f3152d119d9df076c586f39129e8043e5a89
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
SH256 hash:
a8c4ca099a07dbd87d9045f22be0e4acb34857323b8633d7fac46c97dc41d6ef
MD5 hash:
c451c81ed46b64c08d9db05237dcee8d
SHA1 hash:
ac63c873facf263439de14edde1b03f51514e0fe
Link:
https://www.unpac.me/results/24aed911-fefc-443f-80de-889c97e874b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26e8ad89639c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackMoon
Create hunting rule
Author:NDA0E
Description:Detects BlackMoon
Rule name:blackmoon_payload_v1
Create hunting rule
Author:RandomMalware
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MALWARE_Win_BlackMoon
Create hunting rule
Author:ditekSHen
Description:Detects executables using BlackMoon RunTime
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:virustotal
Create hunting rule
Author:Tracel

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Blackmoon

Executable exe 26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa

(this sample)

  
Link
https://tip.neiki.dev/file/26e8ad89639c328bbab5ab919135cdea65c4e95beb4513ee248e117fa992e4aa
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.DLL::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.DLL::CloseHandle
KERNEL32.DLL::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::TerminateProcess
KERNEL32.DLL::LoadLibraryA
KERNEL32.DLL::GetDriveTypeA
KERNEL32.DLL::GetStartupInfoA
KERNEL32.DLL::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.DLL::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.DLL::CopyFileA
KERNEL32.DLL::CreateDirectoryA
KERNEL32.DLL::CreateFileA
KERNEL32.DLL::DeleteFileA
KERNEL32.DLL::GetWindowsDirectoryA
KERNEL32.DLL::GetSystemDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExA
ADVAPI32.dll::RegDeleteKeyA
ADVAPI32.dll::RegOpenKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments